I admit I havent investigated this thoroughly, but I suspect the low hanging fruit in the tinykvm case is having rw access to /dev/kvm

I think it should be possible to pass /dev/kvm as an open fd to daemons like kvm server and mark it as non-inheritable. As long as the vm is in a subprocess it would be okay I guess.